For Further Information Contact:
Thailand’s Personal Data Protection Act Passes into Law
04/06/2019Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA), approved by the government earlier this year, was published in the Government Gazette on May 27, 2019.
Provisions relating to the collection, use, and disclosure of personal data will come into force one year after publication. The law is written to be extraterritorial, meaning that it applies to data controllers regardless of their location. Therefore, all applicable business operators who collect or process the personal data of data subjects in Thailand must be fully compliant with the PDPA by May 27, 2020.
Restrictions on the Collection and Use of Data
Personal data, in the context of the PDPA, is an extremely broad term covering any data from which an individual can be identified—notably those belonging to customers, employees, and suppliers, etc., but potentially extending to any data held by a company in the course of their business.
The most significant restrictions on the collection and use of such data under the PDPA are:
- a requirement for data controllers to obtain consent from data subjects (in writing or online) before they can process their personal data (subject to certain exceptions);
- more stringent requirements for sensitive personal data;
- a requirement to arrange sufficient security measures for storing personal data and sensitive personal data;
- restrictions on the transfer of personal data to other countries;
- data breach notification requirements; and,
- a requirement for data controllers outside Thailand to appoint a representative within the jurisdiction, who will have certain rights and obligations.
Rights of Data Subjects
In addition, the PDPA grants data subjects various rights over data held by others that relates to them, including, amongst others, right of access, right to erasure, right to object, and the right to data portability. Data controllers must ensure that they honor and guarantee those rights as part of their operations.
Sanctions for Non–Compliance
Penalties for noncompliance are severe, with each offence potentially incurring administrative fines of up to THB 5 million, and criminal fines of up to THB 1 million. The court can also award punitive damages of up to twice the damage caused, and imprisonment for up to a year.
How to Prepare
Given the wide impact of these amendments, and the short grace period for compliance, prudent business operators should conduct a gap analysis in order to understand the classes of data that they currently possess; identify current levels of compliance; assess and mitigate the risks involved in each activity which falls under the PDPA; and review their internal policies, agreements, practices, and any other instruments related to personal data to resolve issues identified in the gap analysis before May 27, 2020.
Business operators should also take necessary actions to ensure that their employees and personnel are fully trained and ready to handle the PDPA in a practical and efficient manner. Business operators should also take the opportunity to review their systems—both online and offline—to ensure that any personal data under their possession is secure held.
By Tilleke & Gibbins, Thailand, a Transatlantic Law International Affiliated Firm.
For further information or for any assistance please contact thailandlabor@transatlanticlaw.com
Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.